Professional Documents
Culture Documents
This IEEE Cloud Computing tutorial has been developed by Cloud Strategy Partners, LLC.
Cloud Strategy Partners, LLC is an expert consultancy firm that specializes in Technology
and Strategy relating to Cloud Computing.
Transcript pg. 2 / 16
Course Summary
In this tutorial we will review the global character of cloud including both opportunities and
problems. We will also review the geographical distribution of major cloud providers as well
as examine interoperability, compatibility, and portability. We will also discuss cloud security
and compliance with a focus on compliance standards and cloud certification and auditing.
We will review an example Cloud PCI DSS compliance analysis and finally, discuss cloud
dependability and security with a focus on incident response and eDiscovery.
Transcript pg. 3 / 16
Transcript
Course Outline
In this Lesson we will cover the following topics:
Transcript pg. 4 / 16
Transcript
Transcript pg. 5 / 16
Transcript
Geographical Availability
The Cloud Service providers, then, have arranged their Geographical Availability to best
support the global footprint. Cloud Service Providers infrastructure is geographically
separated on regions, availability zones, points of presence. We will look next at details of
several major providers geographic footprint strategies.
Transcript pg. 6 / 16
Transcript
Interoperability
Compatibility
Integration
Localization
Portability
Mobility
Dependability
Transcript pg. 7 / 16
Transcript
Standardization
Best practices
Industry Whitepapers
Interoperability testing
Certification
The global cloud computing landscape has a long way to go to catch up with the consistency
and interoperability of the Telephone or the Internet, that is for sure
Application Portability
One of the main issues in the cloud landscape is the lack of portability across clouds. That is,
the methods and interfaces one uses to put services on a particular vendors cloud are in
almost all cases quite different for a different vendors cloud. There are issues in
Data portability
Network portability
Security portability
Transcript pg. 8 / 16
Transcript
Transcript pg. 9 / 16
Transcript
Transcript pg. 10 / 16
Transcript
Transcript pg. 11 / 16
Transcript
Cloud service providers must have clear mechanisms to evaluate and communicate
capabilities Regulators and industry governing bodies need to have confidence that their
requirements are met and verified.
Segmentation Considerations
You might have noticed from some of the previous slides that Segmentation is a key concern
for PCI. Segmentation means that machines and networks and storage which carry credit
card information must be separated from other general purpose IT assets.
In classic IT system this meant different servers, different storage boxes, and different
networks in the case of network initially actual separate physical networks joined at only
specific locations with tightly controlled firewalls. Eventually compliance experts became
comfortable with network segmentation based on VLANS.
In the Cloud environment with more and more virtualization of resources, it is impossible to
apply the same segmentation rules. While different techniques maybe used (as in the VLAN
example) Segmentation on a cloud based infrastructure must ensure similar level of
segmentation as with physical infrastructure. Mechanisms to ensure appropriate
segmentation may be applied at the network, operating system and application layers.
The slide details some Examples of correctly segmented cloud environments, and also
details Examples of not correct segmentation
Segmentation Technologies
In order to satisfy the requirement of segmentation in a virtualized environment, without the
ability to have separate physical infrastructures (physical servers, networks, storage etc.)
Transcript pg. 12 / 16
Transcript
compliance professionals have agreed, techniques taking into consideration the virtual
environment are needed.
Some of these are: Physical firewalls and network segmentation at the infrastructure level,
especially for the management network Firewalls at the hypervisor and VM level VLAN
tagging, in addition to firewalls Software Intrusion prevention system at the hypervisor layer
Data loss prevention tools at the hypervisor and/or VM level Controls to prevent out-of-band
communications Isolation of shared processes and resources from client environments
Segmented data storage for each client Strong, two-factor authentication Separation of duties
and administrative oversight Continuous logging and monitoring of perimeter traffic
Transcript pg. 13 / 16
Transcript
First is, the entire environment, from underlying hardware and management, to the cloud
infrastructure, to everything the developers bring to make the application come alive, all of
this must be considered. Any open issues need to have a mitigating control applied, which
can be a manual check, an additional procedure, or a risk analysis with a regular sign-off
indicating the organization is aware of the issue and has determined it to be of minimum
concern.
Dependability
Now we will examine a closely related concept to security and compliance, called
dependability. Dependability is a system property that reflects the extent of the users
confidence that it will operate as users expect and that it will not fail in normal use. As
clouds become a mainstream technology, dependability of cloud based infrastructure and
services become more critical. In systems engineering, dependability is a measure of a
system's availability, reliability, and its maintainability.
Transcript pg. 14 / 16
Transcript
even be saved to a different availability zone. Some IaaS systems or tools support IP address
fixups in snapshots to support exporting them to a different availability zone. If the original
application fails (or that whole datacenter / availability zone fails then there is watchdog
software which reconstitutes the snapshot image in that new availability zone. Local DNS or
Load Balancer may have to be reconfigured to point traffic to this other location.
Another Method is called replication, where there are multiple running instances of the
application sharing some core component like a Database. That Database might be
replicated/clustered across availability zones for example. While both application replicates
are running they share the load. If one replicate dies, the remaining one will handle the lad
while a replacement is being brought up by the watchdog software.
There are many other techniques for increasing Dependability, Reliability and Failure
protection including Memory rejuvenation and also more features from the so-called
watchdog software, which may be an add-on, or may come from the cloud system software
company.
eDiscovery: Definition
Electronic discovery (eDiscovery) was the subject of amendments to the Federal Rules of
Civil Procedure (FRCP), effective December 1, 2006, as amended to December 1, 2010.
It is a more general recognition that many software tools keep electronic records which are
important in legal actions. Emails, Instant Messages, Memos, postings on internal Blogs and
Wikis, are all examples of a widened concept of electronic records.
eDiscovery is the electronic aspect of identifying, collecting and producing electronically
stored information (ESI) Electronic discovery (or e-discovery or eDiscovery) refers to
discovery in civil litigation or government investigations which deals with the exchange of
information in electronic format.
Data are identified as potentially relevant by attorneys and placed on legal hold. Electronic
information is usually accompanied by metadata can play an important part as evidence (for
example the date and time a file was modified can be useful in an analysis).
Transcript pg. 15 / 16
Transcript
Complexity and lack of standardization Data export capabilities, including metadata export
Cloud Object Storage is not like a filesystem with filenames and dates Typically cloud tools
are not designed to do arbitrary data export Lack of special tools and applications Cloud
providers may limit access to data only by using their own tools. Especially on Cloud,
applications need to make an eDiscovery plan ahead of time.
Transcript pg. 16 / 16